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Abstract. The notion of simulatable security (reactive simulatability, universal compos- 
ability) is a powerful tool for allowing the modular design of cryptographic protocols (com- 
position of protocols) and showing the security of a given protocol embedded in a larger 
one. Recently, these me thods have received much attention in the quantum cryptographic 
community (e.g. |RK04IbOHL+04| 'I. 

We give a short introduction to simulatable security in general and proceed by sketching 
the many different definitional choices together with their advantages and disadvantages. 
Based on the reactive simulatability modelling of Backes, Pfitzmann and Waidner |BPWn4b] 
we then develop a quantum security model. By following the BPW modelling as closely 
as possible, we show that composable quantum security definitions for quantum protocols 
can strongly profit from their classical counterparts, since most of the definitional choices 
in the modelling are independent of the underlying machine model. 
In particular, we give a proof for the simple composition theorem in our framework. 

Keywords: quantum cryptography, security definitions, simulatable security, universal 
composability. 
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1 Introduction 



1.1 Overview 

In Section [1.21 we state what the contribution of this work is. 

In Section 11.31 we give a show statement about the use of terminology in the field of 
simulatable security. 

In Section ri.4l we try to give an overview of the historical development of simulatable 
security. 

Sections 11.51 and 11.61 give a short introduction to the notion of simulatable security. 

Sections ll.THl.l,'^ gives an overview on design decisions appearing in the modelling 
of simulatable security. 

Section fl . 141 gives a short comparison between our model and that of |B()Mn4| . 

Section 11.151 very tersely recapitulates the quantum mechanical formalism used in 
this work. 

Section [21 is concerned with the actual definition of quantum machines and quantum 
networks. 

Based on these definitions, Section|31gives a security definition for quantum protocols. 
Section introduces the definition of composition and shows the simple composition 
theorem. 

Finally, in Section El some concluding remarks can be found. 

1.2 Our contribution 

Our contribution in this work is threefold: 

— In the introduction we give survey on design decision that have to be made when 
designing a simulatable security model. We do not only expose the decisions involved 
in our definition, but try to look at other models, too. The problems in the definitions 
of simulatable security models are often underestimated, we hope that our survey 
will give an impression what problems lies ahead on the (probably still quite long) 
route of finding a simple and convincing model of security. 

— Our second contribution is to show, that when defining quantum security models, 
many of the decisions to be made are not related to the quantum nature of the 
communication, but would already appear in a classical modelling. 

To emphasise that point, we develop our model in strong similarity to the classical 
modelhng of |RPWn4bj . our quantum model can therefore be seen as a quantum 
extension of that modelling. 

By this we hope to show that a quantum and classical security models should be 
developed hand in hand. First solve the problems appearing in the classical modelling, 
and then try and lift the classical model to the quantum case. 

— Third we give a concrete model of security. We hope that this model will show 
problems and possibilities in simulatable security, and be a step on the way towards 
a simple and yet general security definition. 
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The current version seems to represent a consistent modelling of security, however 
the author has to admit that the generality in the modelling of scheduling had a 
prize: complexity. We fear that in the present modelling a complete formal proof of 
security might be quite unwieldy. This can be seen in the present work in Section r4.11 
where the author was unable to find a readable proof for the statements there and 
therefore took recourse to a rather vague sketch. We hope that future security models 
will solve this problem without loss of generality. (See also Section [S)). 

1.3 A word on terminology 

Some confusion exists when it comes to actually finding a name for the concept of 
simulatable security. In order to prevent misunderstandings and allow the reader to 
compare the present modelling with others, we will shortly comment on the terminology 
used in the present work. 

The most widely known term is universal composability. This notion was introduced 
by Canetti [(Ja.nnij . Since then, the notion universal composition and especially UC 
framework became strongly associated with the model of Canetti. However, the word 
universal composability is used in two other ways: first, it is used to denote the property 
to be secure according to definitions similar to that of |Can01j or |BPW04b] . without 
meaning the model of Canetti in particular. Second, universal composability often de- 
notes the applicability of the Composition Theorem. However, since there are different 
fiavours of the Composition Theorem, sometimes universal composability means concur- 
rent and simple composability^ (e.g. in [(^anOlj ). while on other occasions it is used for 
simple composability. 

Besides the model of Canetti, another model found much interest in the last few 
years: the model of Backes, Pfitzmann, and Waidner |PWni|BPWr)4b] . While the term 
of universal composability in its most general meaning can be applied to that model, too, 
Backes, Pfitzmann, and Waidner ^BPW04bj prefer the use of reactive simulatability. 

In order to avoid such confusion, we will adhere to the following convention in the 
present exposition: for the modelling by Canetti we will use the term UC framework. 
The modelling by BPW we shall name reactive simulatability (or shorter RS frame- 
work), while the overall concept of security notions using simulation and guaranteeing 
composition (encompassing these two modellings) we will call simulatable security. 

The different fiavours of the composition theorem we will differentiate by using the 
attributes simple, concurrent, and the combination of both (see Section II. 9j) . In this 
nomenclature the Universal Composition Theorem of [(^anOlj would be called Simple 
and Concurrent Composition Theorem, while the Composition Theorem of |BPW04B] 
would be named Simple Composition Theorem. We restrain from using the shorter term 
universal composition for simple and concurrent composition to prevent confusion with 
the other meanings described above. 

A further term which is noteworthy in this context is that of the honest user and the 
environment, resp. Both denote the same idea, the first being used in the RS framework, 

^ See Section fl.9l for an analysis of the difference between concurrent and simple composability. 
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the second in the UC framework. We will use these two notions in an interchangeable 
way, preferring environment when trying to motivate or explain on an intuitive level, 
while sticking to honest user when giving formal definitions or proofs. The same holds 
for the terms trusted host (RS framework) and ideal functionality (UC framework). 

More terms will appear in the course of this exposition which have different trans- 
lations in different frameworks. We will mention these when introducing the notions in 
our exposition. The reader is strongly encouraged to use the index (p. US)) to find these 
translations. 

1.4 A brief historical account 

To the best of our knowledge, the notion of a simulator to define security of a protocol was 
first introduced in the definition of zero-knowledge proofs |GMR85] . Here the simulation 
paradigm was used to ensure that the verifier could not learn anything except the truth 
of the statement to be proven. This was done by requiring that any transcript of the 
interaction between prover and verifier could also be generated by the simulator (without 
knowing a proof witness for the statement). If this is possible, then the interaction of 
course does not allow to learn anything about the proof. 

However, it turned out that this definition, while capturing very well the idea that 
the verifier learns nothing about the proof, does not guarantee the possibility to compose 
two zero-knowledge protocols in parallel (without losing the zero-knowledge property) 

Note further, that here the simulation paradigm was only used for one of the required 
properties (being zero-knowledge), the soundness condition (i.e., that the protocol indeed 
is a proof) was defined in another manner. In this it differs from today's simulatable 
security which aspires to capture all security properties in one single definition. 

In jBea92j the notion of relative resilience was introduced. This notion allowed to 
say that one protocol vr was at least as secure as another protocol/trusted host p by 
requesting that for all protocol inputs and all adversaries, there is a simulator, so that 
the outputs of vr with the adversary and p running with the simulator are indistinguish- 
able. This was a major step towards today's notion of simulatability, since a protocol's 
security was now defined in comparison to an ideal specification. |Bea92j showed, that 
the security definition was closed under sequential composition (executing one protocol 
after another). However, when executing protocols in parallel, no guarantee was given. 
At the same time |MR92j announced another model based a notion of simulatability, 
even achieving some kind of composition (reducibility) . It is unknown to the author, 
whether this idea was further pursued. 

Later |PSW00j and |CanOOj introduced independent models with synchronous schedul- 
ing (see Section rrnT|l . The model of |PSWnnj (a predecessor of the BPW-model |BPWn4bj 
underlying our model) already had a simple composition theorem, i.e. one could use one 
protocol as a sub-protocol of another, and the sub-protocol could run simultaneously 
with the calling protocol (see Section ll.9|) . |CanOOj achieved a similar result, however 
the security of a composed protocol could only be ensured in |(yannflj if the calling pro- 
tocol was suspended until the sub-protocol terminated. When the calling and the called 
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protocol where executed simultaneously, no guarantee would be made. So this composi- 
tion theorem may be classified as being a sequential composition theorem, similar (but 
somewhat more powerful) to that of |Bea92j . 

Shortly afterwards, both Pfitzmann, Waidner |PWnij . and Canetti |(]anfllj presented 
asynchronous versions of their models. |PW01j had — in our nomenclature — a simple 
composition theorem, and |(]annij a simple and concurrent composition theorem (see 
Section [l.9|) . In |BPW04a] it was shown, that not only simple but also concurrent com- 
position is also possible in their model. 

To the best of our knowledge, the first simulation based quantum security models 
were |vdG98j and |Smi01j . Like |Bea92j . both did not have the notion of an honest 
user /environment, therefore they too could only guarantee sequential composition. The 
first models having an honest user /environment were the independent works |BOM02] 
and |Unrfl2j . Both based on Canetti's model, they both provided simple and concurrent 
composition (see Section fl.9|) . 

1.5 On the necessity of simulatable security 

A question that may arise is, why do we need another security definition. Are there not 
sufficiently many definitions like privacy, correctness, robustness, non-maleability , etc. 
(the list of security properties found in the literature is very long)? Why add another 
one? 

There are several good reasons for this: 

— There are (admittedly constructed) protocols, where the privacy requirement is ful- 
filled, where the correctness requirement is fulfilled, but where in information nev- 
ertheless leaks. The example goes back to Mical and Rogaway and we cite here the 
version found in the introduction of [Graaf:1998:Towards]: 

Let X and y be the inputs of Alice and Bob, resp. They want to evaluate the function 
g given by 



Here Isb(y) stands for the last bit of y, and Ox and ly for concatenation. 
Consider the following protocol for this task: 

1. Alice and Bob commit to the bits of their inputs using some secure bit commit- 
ment scheme. 

2. Bob unveils lsb(7/). 

3. If lsb(?/) = 0, Bob unveils x. If Isb(y) = 1, Alice unveils y. Now the both parties 
can calculate g{x,y). 

4. Additionally (just for the sake of the counterexample), Alice sends x to Bob. 
Clearly, the protocol is correct (i.e. the function g{x, y) is always evaluated correctly). 
Further, the privacy condition is fulfilled, since in the specification of the protocol 
there always is a way for Bob to learn Alice's input, so the fact that x is sent to 
Alice does formally not violate the privacy condition (see [Graaf:1998:Towards] for 
details) . 
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But intuitively, the function is not evaluated in a secure fashion, since in the speci- 
fication Bob would learn Alice's input only for Isb(y) = 0, while in the protocol he 
always learns it. 

So a new definition is needed to capture both privacy and correctness in one go. 
Simulatable security has this advantage. 

The second problem is that the list of desirable security properties is ever growing, it 
is not restricted to just privacy and correctness. The simulatable security encompasses 
many definitions at once using a very general approach (see Section II. 6|) . so one 
can have more confidence that the intuitively security is guaranteed by simulatable 
security. (Note however, that some special security properties like incoercibility are 
not guaranteed by simulatable security MQ03| .) 



The probably most striking problem of many security properties is incomposability. 
If a protocol vr is given for some cryptographic primitive X (say a bit commitment), 
and another protocol p using X securely accomplishes something great, then it would 
seem natural to combine vr and p to get a protocol accomplishing the great thing 
without recurse to any primitives. However, it turns out that there is no guarantee 
that the composed protocol is still secure. 

To remove this lack of certainty, and to allow the modular construction of protocols, 
we need a security definition that is composable, i.e. that allows design protocols for 
small task, and using these as building blocks for bigger protocols, without having 
to prove the security of the bigger protocols from scratch. 

Fortunately, simulatable security provides such composability (see Section [l.9j) . 



1.6 What is simulatable security? 

The basic idea is a follows: Assume, that we have some given cryptographic application, 
and we can specify some reference protocol (the ideal protocol) or trusted party TH, 
which does implement the wanted behaviour in a secure way. Of course, we do now have 
to design that trusted host, but this is usually easier than designing the protocol, since 
we do not have to bother with details like insecure communication, or who should carry 
out computations etc., since TH can by definition be regarded as trusted. 

If we then accept, that the trusted party is secure (though not necessarily feasible), we 
can define that some protocol vr (the real protocol) is as secure as TH, if replacing TH in 
any situation does not result in any disadvantage for any person (except the adversary, 
of course). But how do we formalise situations and how do we formalise disadvantages? 
We simply introduce the concept of the environment and the (real) adversary. The 
environment is some entity, which does interact with the protocol and the adversary 
as a black box and at the end may decide, whether something harmful has happened. 
When we quantify over all possible environments (possibly restricting the computational 
power), and for no environment (i.e. in no situation) some harm happened using vr which 
could not have happened using TH, too, then replacing TH by vr is clearly a sensible 
course of action, at least it will surely do no harm (none that could be detected by the 
environment, at least), thus vr can be considered to be secure. 
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The preceding explanation still has some great drawback: An adversary (for which the 
protocol's internals are no black box, of course) could simply vary its output depending 
on whether we use vr or TH. Then the environment might simply consider the output 
"vr is in use" as harmful, and suddenly vr would be insecure. But, when considering 
our requirement, that everything harmful, which can happen using vr, can also happen 
using TH, we can reasonably interpret it as everything harmful, which can happen using 
IT with some adversary Areai, can also happen using TH with some (other) adversary 
Asim, the simulator. If we accept this formulation that implies, that in any situation 
the adversary may freely choose its strategy to be as "harmful" as possible, we get the 
security definition which we will develop and examine in this work. 

One simplification we may still introduce: So far we have required, that using vr, we 
get at most as much harm as when using TH. In fact, we can change this definition 
so that we require that we get the same amount of harm. This simplifies the definition 
and is in fact equivalent, since if one environment defines something as harm, then some 
other environment could define the opposite as harm, such bounding the amount of harm 
from both sides and resulting in a claim of equality. After introducing this simplification, 
the word "harm" is of course inadequate, so we will use the more neutral notion of the 
output of the environment. Further it is a matter of taste, whether we should say that the 
environment outputs exactly one bit, one may also allow the environment to generate 
a whole stream of output, which should then be indistinguishable in runs with the real 
protocol and the trusted host (ideal protocol), see Section [TTHl 

So if we put these considerations together, we get a first definition sketch, that runs 
in the following lines: For any adversary Areai, there is some adversary Asj^, such that for 
any environment H, the output of H when running with Areai and vr is indistinguishable 
from that of H running with Ajim and TH. 

In the RS framework of |PWnilHFWn4b] . the environment is instead called the 
honest user, reflecting the intuition that its view represents anything (e.g. any harm) 
that an honest user of the protocol may experience. Further instead of the notion trusted 
host, it is also very common to speak of an ideal functionality, e.g. in the model of 

Of course, the above definition sketch still leaves many open questions, like what 
a protocol formally is, what indistinguishable means, how messages and machines are 
scheduled, etc. We will try and discuss these questions in the following paragraphs. 

1.7 On the order of quantifiers 

In Section 11.61 we "defined" simulatable security approximately as follows: For all ad- 
versaries there is a simulator s.t. for all environments the real and ideal protocol are 
indistinguishable, in symbols: VAreai^Asj^VH .... However, rereading our motivation one 
might ask whether the following order of quantifiers does not have as much justifica- 
tion: VAreaiVH3Asim • • • , 1-6. should the simulator be allowed to depend on the environ- 
ment/honest user or not? 

In fact, both order are common. |BPWn4b] calls security with respect to the VAreai3AsjmVH- 
ordering universal security, and security with respect to the VAreaiVH3Asim-ordering stan- 
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dard security. The model of |Can01j uses the stricter notion of universal security, while 
the |BPWn4b] model defines both notions. 

One might wonder, whether standard and universal security are equivalent. It was 
however shown in [?], that for statistical and polynomial security (see Section fLSj) there 
are examples separating these two notions. 

There is also a very practical point separating these two notions: while for showing a 
simple composition theorem (see Section [l.9() . it is sufficient to have standard security. 
However all proof for concurrent composition theorems known to the author need uni- 
versal security. Note that to the best of our knowledge it is unknown whether concurrent 
composability could be proven using standard simulatability. 

A further ordering of quantifiers appears in |BPWn4b] : black-box security. This no- 
tion, which is even stricter than universal security, is roughly defined as follows: There 
is a simulator s.t. for all real adversaries and all environments, the real protocol running 
with environment and honest user is indistinguishable from the ideal protocol running 
with environment and simulator, where the simulator has access to the adversary in 
a black-box manner. In other words, the simulator is not allowed to depend on the 
real adversary in any manner, but only by using the adversary as a black-box (without 
rewinding). Since no properties are known to the author which give an advantage of 
black-box over universal security, we will ignore this notion in the present work, concen- 
trating on universal and standard security. 

1.8 Views versus output bits - the verdict of the honest user 

In Section 11.61 we required that the views or outputs of the environment is the indis- 
tinguishable in the run of the real and the ideal protocol. We will now discuss this 
indistinguishability in more detail. 

The first definitional choice to be made is whether the environment outputs only 
one bit (as done in [("anOlj ) or has a continuous stream of output, the view of the 
environment (as done in |BP W04'b] ) . We follow the choice of |BPW04b] and define the 
view of the honest user to be the transcript of all its classical in- and outputs. 

We can now define probability distributions Real^, Idealfc for the view/output bit in 
the run of the real or ideal protocol, indexed by the security parameter. 

We sketch the following major notions of indistinguishability: 

— Perfect. The distributions Real^ and Ideal^ are identical. If further environment, 
adversary and simulator are computationally unbounded, we talk of perfect security. 

— Statistical. There is a negligible function'^ v, s.t. the statistical distance^ of Real^ and 
Idealfc is bounded by z^(A;) for all security parameters k. 

If further environment, adversary and simulator are computationally unbounded, we 
talk of strict statistical security. 

There are different possibilities what functions are accepted as negligible ones. Usually a function is 
called negligible if it asymptotically gets smaller than 1/p for any polynomial p. 
^ Intuitively the statistical distance describes how good an optimal test can distinguish between two 
distributions. 
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We will only use the notion of strict statistical security in the present work. 
Another variant of security using the statistical indistinguishability is that of statis- 
tical security as defined in |BPWn4b] . Here we require that for any polynomial / the 
prefixes of length l{k) of Real^ and Ideal^ are indistinguishable. However the simple 
composition theorem does not hold using this security notion [?]. 

— Computational. For any algorithm D (the distinguisher) that is polynomial-time in 
k and has one-bit output, the outputs of D given Real^ resp. Ideal^ as input is sta- 
tistically indistinguishable. When restricting honest user, adversary and simulator 
to be computationally bounded (see Section ri.l2|) we talk of computational indistin- 
guishability. A more detailed definition can be found e.g. in |RPWn4bj . 

In the case of one-bit output of the environment, computational and statistical in- 
distinguishability obviously coincide. 

For quantum protocols, computational indistinguishability have to be redefined to 
incorporate the power of quantum distinguishers. 

1.9 Flavours of composition 

As already stated, one of the major advantages of simulatable security is the possibility 
of composition. A composition theorem states roughly the following: suppose we are 
given a protocol vr implementing a trusted host TH, and we have another protocol p 
using TH as a primitive that implements some other trusted host CPLX. Then protocol 
p using vr also implements CPLX. As a formula (where > means implements): 

vr > TH and {p using TH) > CPLX =^ {p using vr) > CPLX (1) 

However, it turns out that this formula can be interpreted in two different ways. To 
illustrate this, we give two examples of composition. 

— Assume that vr is a protocol implementing a key exchange (e.g. |BB84j ). i.e. vr > KE. 
Assume further that p that generates one key using KE and then uses this key to 
implement a secure message transmission SMT (applying some key-reuse-strategies). 

— Assume that vr again implements key exchange. Assume further that /5 is a protocol 
that implements a secure channel approximately as follows: For each message to be 
sent, a new key exchange is invoked. The resulting key is then used for transmitting an 
encrypted and authenticated message (e.g. using a one-time-pad and authentication 
|R^MQ04| ). 

We are now tempted to say, that in both examples we can use to show 

[p using vr) > SMT and {p using vr) > SMT. 

But considering the examples in more detail, we note that there is a very important 
difference: While p uses only one copy of KE, the protocol p employs many copies of KE 
(when we assume the environment to be limited to a polynomial amount of messages (in 
the security parameter /c), we can say that at most polynomially many invocations of KE 
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are performed). So whether we can apply in the second example depends on whether 
"/9 using TH" means "using at most one copy of TH" or "using at most polynomially 
many copies of TH." 

To be able to differentiate more clearly between these two notions of "using", we 
introduce the following conventions: Let denote p using one copy of X. Let further 
denote TH* the machine simulating arbitrarily many copies of TH, and let p* denote the 
machine simulating arbitrarily many copies of p. Then we can state the following two 
variants of the composition theorem: 

simple: vr > TH and p"^^ > CPLX =^ > CPLX (2) 

and 

concurrent: vr > TH =^ tt* > TH* (3) 

Clearly, for the first example it is sufficient to use the simple composition theorem @ . 
To prove security of the protocol constructed in the second example, we would proceed 
as follows: first, by the concurrent composition theorem (jSJ we get tt* > KE*. Then, 
our assumption that p using KE implements SMT must be written more concretely as 
p^^ > SMT. Now we can apply the simple composition theorem ^ (substituting tt by 
TT* and TH by KE*) and get p"* > SMT. 

So we have seen that for composition as in the first example, simple composition is 
sufficient, while for the second example simple and concurrent composition is needed. 

The "Universal Composition Theorem" from [(^anOlj provides simple and concurrent 
composition, the "Secure Two-system Composition Theorem" from |BPW04'B] only pro- 
vides simple composition, but is supplemented by the "General Composition Theorem" 
from |BPWn4a| . 

It turns out that a simple composition theorem can be shown for standard and for 
universal security (cf. Section Fl. 71 for an introduction of these notions). To the best of our 
knowledge, no proof of the concurrent composition theorem that does not need universal 
security has been published so far. Here we will only present the proof sketch of the 
simple composition theorem, for a sketch of the concurrent composition theorem the 
reader may refer to |Can01j . 

Proof sketch for the simple composition theorem. The basic idea of the proof of 
the simple composition theorem goes as follows (we follow the proof idea from |PW01j . 
but stay very general so that this proof idea should be applicable for most simulatable 
security models): 

Assume that vr > TH and that p^^ > CPLX. Consider any real adversary Areai and 
honest user H. The network resulting from p'^ , H and Areai running together is depicted 
in Figure Here we consider the protocol p^ to consist of machines executing p and 
machines executing vr, the former connected to the latter by secure connections. 

Now consider a machine Hp simulating H and all the machines in p. We can now 
replace H and p by this simulation and get the network depicted in Figure Since Hp 
is a faithful simulation, the view of the original and of the simulated H are identical. 
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Fig. 1. Simple composition theorem 



Note now that the network in Figure ^ is represents the protocol vr running with 
honest user Hp and real adversary Areai- Since we assumed vr > TH we know, that there is 
a simulator Asjm s.t. the view of Hp is indistinguishable in the networks of Figures^ and 

From this we then conclude that the view of the simulates H are also indistinguishable 
in these two networks. 

Now we replace Hp again by the machines it simulated and get the network in Fig- 
ure^i- Again, as Hp is a faithful simulation, we now that the views of the simulated and 
the original H in the networks in Figures^ and^ are identical. 

We can then conclude that the view of H in the networks in Figures^ and^i are 
indistinguishable, so we found a simulator Asi^ for the composed protocol . Since we 
showed this for arbitrary H and Areai, it follows > p^^ . 

Using the transitivity of >,^ from this and the assumption p^^ > CPLX we conclude 
pTT y CPLX. So the simple composition theorem is shown for the case of standard security. 

In the case of universal security, we additionally have to show that the constructed 
simulator Asim does not depend on the honest user H. However, since in Figure Asim 
does not depend on H^r, only on Areai, this follows trivially. 

* The transitivity is obvious if the security notion is defined symmetrically, i.e. if for the real and the 
ideal protocol the same adversaries are allowed and the scheduling etc. are defined in the same for 
real and ideal execution. This is the case in the model of |BPW04b] . unfortunately not in the model 
of |Can01| . so that a formal proof in that model has to take care of more details. 
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1.10 Models of corruption 



Another important point is the modelhng of corruption. Since we cannot assume all 
parties partaking in the protocol to be honest, we have to assume that the adversary 
can corrupt some parties, which afterwards are under his control. 

We distinguish two main flavours of corruption: static and adaptive corruption. 

In the case of static corruption, the adversary may choose a set of parties to corrupt 
(within some limits, e.g. at most t parties) before the protocol begins. This models the 
idea parties are either dishonest or honest, but do not change between these two states. 
(Static corruption is the default modelling in the model of |BPWn4b] .) 

In the case of adaptive corruption, the adversary can at any time during the execution 
of the protocol corrupt further machines (as long as the set of machines does not exceed 
the given limits). In particular, the choice which party to corrupt may depend on what is 
intercepted from a run of the protocol. This model captures the view that an adversary 
may at any time try to "persuade" some parties to do his bidding, e.g. by using force or 
hacking into their computer. (The model of |Can01j captures this notion of corruption.) 

It is common (both in |BPW04'lo] and ICanOlj ) that the honest user /environment 
is informed, which parties are corrupted. While it may seem strange at a first glance, 
informing the environment has the following advantage: Since the simulator tries to 
mimic the adversary exactly, the same parties are corrupted in the ideal model. Assume 
now that we have shown some protocol to be secure in the presence of at most t + 1 
corrupted parties. Then by using the fact that the simulator is restricted to corrupting 
no more parties than the real adversary, we can conclude that the protocol is also secure 
in the presence of at most t corrupted parties. This simple and quite intuitive result 
would not hold if the real adversary and the simulator would not be forced to corrupt 
the same number of parties. 

When considering static corruption and requiring adversary and simulator to corrupt 
the same parties, the modelling of a protocol with corruptible parties can be reduced 
to that of a protocol with only incorruptible ones using the following approach from 
|RPWn4bj : For each set C of parties that may be corrupted, let ttc denote the protocol 
where these parties are removed and all connections these parties had are instead con- 
nected to the adversary. Let further THc denote the trusted host, where all connections 
associated with the parties from C are connected to the adversary. Then ir implementing 
TH (with possible corruption) is simply defined as ttq > THc (without corruption) for 
all allowed sets C of corrupted parties. 

In the case of adaptive security, another important design choice appears: whether 
parties are able to delete information. If they are non-deleting, an adversary corrupting 
a party does not only learn all information the party still wants to use in later protocol 
phases, but also all information that ever came to the attention of that party. This of 
course gives the adversary some additional advantage (but also the simulator is given 
some advantage, so these two security with and without non-deleting parties are probably 
incomparable). In [("anOlj non-deleting parties are used, while in |BPWfl4b] deleting ones 
are used. 
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It is difficult to transport the notion of non-deleting parties to the quantum case. 
Non-deleting parties cannot be required, since this would imply cloning all information 
passing through the party. The nearest analogue would seem to be non-measuring parties 
MQ02 , which instead of measuring would entangle the state to be measured with some 



ancillae. However, this does not completely capture the notion of non-deleting parties, 
since a party may now circumvent this restriction by basing some scheduling related 
decisions on some bit. If the scheduling is classical (see Section ri.l3|) this would destroy 
information. 

Due to these problems in the modelling of non-deleting parties in the quantum case, 
we will only model deleting parties in the sense that parties are allowed to perform any 
measurements or erasures. Further we will omit a discussion of adaptive corruption in 
the quantum case. 



1.11 Modelling machines 

Another point which can make subtle differences between different simulatable security 
models, is the question how a machine is modelled. 

In classical models, the following two approaches are most common: 

— In |BPW04'B] a machine is modelled in a most general way. It is defined by a transition 
function that for each state of the machine, and each set of inputs gives a probability 
distribution over the output and state after that activation. Here the machine model 
does not a priori have the notion of a single computational step (like e.g. a Turing 
machine would have), but only that of an activation. One can then however describe 
certain subsets of machines like the machines realisable by a Turing machine, or the 
machines realisable by a polynomial Turing machine etc. The advantage of this model 
is that one is not forced to formulate all arguments in terms of Turing machines, but 
in terms of the mathematically much easier transition functions. 

— In |Can01j a machine is generally assumed to be a polynomial interactive Turing 
machine. The non-deletion property is achieved by keeping a copy of the current 
state in each Turing step. 

If adaptive corruption (see Section is used, another point must be taken care 

of: if a machine is corrupted, the adversary learns its state, which means that there must 
be a canonical interpretation how the state of a machine is encoded into a message sent 
to the adversary. 

In a quantum setting, one more choice has to be made: 

— Should machines be forced to be unitary (and simulate measurements by entangling 
with auxiliary qubits), or should they be allowed to perform measurements. At first it 
may seem, that unitary machines yield the simpler mathematical model. However, as 
soon as some kind of classical scheduling is involved (see Section ri.!!-?!) . measurements 
will take place anyway, so the overall behaviour of the network lacks a natural unitary 
description. When choosing machines to be allowed to perform measurements, then 
machines and network fall in a natural way into one mathematical framework. Further 
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no options are lost by such a choice, since unitary transformations are a special case 
of quantum superoperators (see Section fl.l 5 j) . 

In this work we have chosen to follow the approach of |BPWn4b] and try to achieve a 
modelling of machines which captures any process not disallowed by physical laws. This 
yielded the following notion of machines: 

— Following the |BPW04'lo] -aDDroach. each machine has a set of in- and out-ports, 
modelling the connections to other machines. A port can be classical or quantum. 

— The transition of a machine is modelled by a quantum superoperator. It takes the 
state and inputs of the machine to the new state and outputs. 

— Before and after each activation, the classical ports are measured, the results of these 
measurements over the whole life of the machine constitute the view of the machine. 

— Before each activation a special (machine dependent) repeatable measurement is 
performed on the machine's state to decide, whether the machine is in a final state 
or not. This measurement may be trivial (for non-terminating machines). 

1.12 Computational security 

The design choice which turns out to be the most difficult and error-prone in definitions 
of simulatable security is how to model computational security. 

The simplest and most common approach is to require all machines in a network 
(adversary, simulator, honest user, protocol machines) to be polynomially limited in the 
sense that there is a polynomial limiting the overall number of Turing steps (or gates, 
etc. depending on the underlying model of computation). Even this seemingly simple 
approach can lead to unexpected problems. Assume some trusted host is modelled as 
a polynomial machine. Since reading a message needs time, the machine will terminate 
after a given number of inputs on port a. Then however it will not be able to react 
to queries on port b, even if in the intuitive specification these ports are completely 
unrelated. This is an artefact of the modelling and should be avoided. Both [PWOlj 
and |Can01j have these problems, the security proofs in these models sometimes being 
strictly spoken incorrect, e.g. most of the functionalities in [("anOlj were not polynomial 
time, and therefore could not be composed (see below). 

The obvious solution to allow real or ideal protocol to be computationally unlimited 
and only restricting honest user, adversary and simulator to be polynomial time, does 
not work either. An inspection on the proof sketch of the simple composition theorem 
(Section ll.9|) shows, that if the calling protocol {p in the proof sketch) is not polynomially 
limited, then the combination of p and the honest user H is not polynomial time any 
more. So the assumption vr > TH cannot be used to establish equivalence of the networks 
in Figures ^3 and^ and the proof fails. So such an approach to computational security 
would lose the composition theorem and is thus not viable. 

In |Bac02j this problem was solved for the RS framework by introducing so-called 
length functions. These allowed a machine to selectively switch off ports, thus being able 
to ignore inputs on these ports without losing computation time. This solved the problem 
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described above. To the best of our knowledge, in the UC framework the problem has 
not yet been successfully approached. 

However, the modelling using length functions still leaves some problems. For exam- 
ple, it is not possible to model trusted hosts that are able to process an arbitrary amount 
of data. An example for such a trusted host would be a secure channel that is not a priori 
restricted to some maximal number of messages. In the modelling using length functions 
every trusted host (and every corresponding real protocol) has to be parametrised in a 
"life time polynomial", which may be arbitrarily chosen, but has to be fixed in advance. 

A further possible solution is to allow parties to be polynomially bounded in the 
number of activations or in the length of their inputs. But this approach may lead to a 
modelling where two parties may gain unbounded computation time by sending messages 
to each other in a kind of "ping-pong" game. 

A solution to this problem is presented in |HMQU04] . Using the modelling presented 
there one can model parties that are able to process a not-a-priori-bounded amount of 
data, without losing the property of being in an intuitive way computationally bounded, 
and without losing the possibility of composition. This additional generality is however 
bought by additional complexity. 

Other points that have to be detailed are e.g. how much time is consumed by reading 
a message, is a message read from the beginning (disallowing to read the end of very 
long messages) or is there random-access to the message content (i.e. the machine can 
start reading at the end, in the middle of a message, etc.^). 

A noteworthy point is that (strict) statistical security does not necessarily imply 
computational security. To see this, imagine an ideal protocol that gives a computation- 
ally hard problem to the simulator, and only if the simulator solves this problem, then 
the ideal protocol will behave exactly as does the real protocol. Then a computationally 
unbounded simulator will be able to mimic the behaviour of the real protocol, so we 
have strict statistical (even perfect) security. But a computationally bounded simulator 
will be unable to "unlock" the ideal protocol, so we do not have computational security. 
A possible remedy to this problem has been proposed by [("anOflj : the simulator's run- 
time must be polynomially bounded in the runtime bound of the real adversary. Then 
statistical security implies computational security. 

In the present work we concentrate on unconditional security. However, we model the 
length functions of |Bacr)2j , so computational security should be easily definable following 
the example of |BP W04'Id] . The approach of |HMQU04 should be easily adaptable to 
the model presented here, too. 



1.13 Scheduling and message delivery 

Besides specifying how machines operate and send or receive messages, it is necessary 
to model the behaviour of the overall network. It turns out that here the details may 

* In the quantum case even the access model would have to be distinguished, where a polynomial machine 
can in superposition access all bits of a message (the message is given to the machine as an oracle). 
Then the machine could e.g. determine whether a message of exponential length is balanced or not 
|DJ92| . which clearly would not be possible if it would have to read the message symbol- by-symbol. 
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get very complicated. We sketch several general approaches to scheduling and message 
delivery: 



No scheduling. Here the order of messages and activations is determined in advance. 
For example, in a two party protocol it makes sense to say that the parties are 
alternatingly activated and upon each activation a message is sent to the other party. 
This is the simplest form of scheduling, it may however be unable to model the 
behaviour of more complex protocols where the decision whom to sent a message 
may depend on the protocol input or on some prior messages. 

Message driven scheduling with immediate message delivery. Any machine can only 
send one message. This message is immediately delivered to the recipient (which may 
be the adversary in the case of an insecure channel). This scheduling is very easy 
to model, but of course not every protocol can be described in such a model, and 
some realistic attacks may not be modelled. Further it seems difficult to model an 
authenticated channel (who should be activated next? the recipient? the adversary?). 
Message driven scheduling with adversarially controlled delivery. Here a machine 
can send one or several messages in any activation. The adversary may then decide 
whether and when to deliver that message. Several flavours exist: 

• Fair vs. asynchronous delivery. It has to be chosen, whether the adversary is 
required to eventually send a message {fair delivery) or whether it may drop 
messages at will. In case of fair delivery, great care has to be taken with respect to 
the exact modelling, since otherwise the definition could e.g. allow the adversary 
to "deliver" after the protocol's end. Another question is whether parties may or 
may not know an upper bound for the time it takes a message to be delivered. This 
problem is elaborated in more detail in |BHMQU04l . Both |BPWn4bj and |(]annij 



model asynchronous delivery. In |Can01j so-called non-blocking adversaries are 
mentioned which are required to eventually deliver, but no definition is given and 
the above mentioned questions are not answered. 

Following |BP Wfl4b] . we adopt asynchronous delivery, however the discussion 



from BHMQU04 can easily be adapted to our modelling. 

Blind or transparent delivery. Is the adversary notified on whether a message is 
to be delivered on some connection? The adversary may have to schedule the 
connection without knowing whether some message is waiting {blind delivery) or 
he is informed of the fact prior {transparent delivery). The blind delivery captures 
the idea of a channel in which some reordering occurs, but which is not accessible 
to the adversary (e.g. an ethernet connection). The transparent delivery captures 
the idea of a connection which is routed through adversarially controlled routers. 
In |BPW04'B] blind delivery is used, while |Can01j adopts transparent delivery. 
We follow |BPWf)4b] and use blind delivery. 

Symmetric or asymmetric approach. In the |BPWfl4b] model each connection 
has a designated scheduler. These are usually the sending machine (modelling 
an immediately scheduled connection), the adversary (an adversarially controlled 
connection), or the recipient (a fetching connection). We call this the symmetric 
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approach.^ On the other hand |Can01j pursues an asymmetric approach. Here 
many different rules of scheduling are defined depending on whether the machine 
is sent from functionality to parties or vice versa and environment and adversary 
have special uninterchangable roles. 

We adapt the symmetric approach from |BPW04'B] since we believe that this 
makes the details of the modelling easier and is additionally of great advantage in 
detailed proofs, since much less different kinds of delivery are to be distinguished. 

— Non-message driven scheduling. By this we mean the idea that all machines may run 
in parallel, and messages do not influence the scheduling. In particular, a machine 
may execute tasks without the need of being activated by an incoming message. A 
scheduling falling into that class has been described in |Unrn2j . However, no satisfying 
and easy model has yet been defined using that approach. 

It is the author's personal opinion that such a model would capture reality much 
better, especially when allowing the machine to measure time in some way. However 
it seems that coming to an easy and intuitive modelling is a still unsolved problem. 

— Synchronous scheduling. This means that the protocol proceeds in rounds, and in 
each round all machines are activated. This scheduling underlies e.g. the early models 
|PSW00j and |CanOOj . However assuming synchronous scheduling means to assume 
a very strong synchronisation of the protocol participants and is only justified in 
special cases. This assumption was dropped in [PWOlj and |(]anfllj . 

A further interesting issue is whether the scheduling and message delivery is quantum 
or classical. By quantum scheduling we mean that events of scheduling (e.g. the recipient 
of a message, or the fact whether a message is sent at all, or which machine is activated) 
can be in a quantum superposition. In contrast, with classical scheduling the state of 
the system would always collapse to one of the possible decisions. 

An advantage of quantum scheduling would be the possibility to model protocols that 
explicitly make use of the superposition between sending and not sending a message. For 
example, there is a protocol that is able to detect if an eavesdropper tries to find out 
whether communication takes place at all |S.TBnHMQS03| (traffic analysis). 

However, modelling quantum scheduling turns out to be quite difficult. This is due to 
the fact that if the scheduling is to be non-measuring, this means it has to be defined in 
an unitary way. But then it would have to be reversible, thus disallowing many sensible 
machine definitions. A suitable combination of measuring and non-measuring scheduling 
would have to be found, capturing the possibilities of both worlds. 

Since how to model quantum scheduling is as far as we know an open problem, we 
will here present a modelling of security using a classical scheduling. 

1.14 The Ben-Or-Mayers model 

In this section we compare our model to the modelling of |B()Mn4] . We organise this 
comparison into several short topics, according to different sections of the introduction. 

^ However, the symmetry is slightly broken by the fact that there is a designated machine called the 
master-scheduler, which is activated if the activation token is lost. 
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— Machine model (cf. Section \l.ll\) . In our modelling, machines are modelled by giving 
a transition operator, which can model any quantum-mechanically possible operation 
of the machine, including all types of measurements. In contrast, in the |BUM04] - 
model machines are modelled as partially ordered sets of gates, i.e., as circuits (the 
partial order gives the order of execution of the gates). 

— The order of quantifiers (cf. Section \l. 7| ^. In the |BUM04] model, no explicit real life 
adversary exists. Instead the environment communicates directly with the protocol, 
while in the ideal model a simulator is placed between the protocol and the envi- 
ronment (i.e., in the real model, a dummy adversary is used). The idea behind such 
a dummy-adversary-approach (which is also given as an alternative formulation in 
|Can01j l is that if there are distinguishing adversary and environment, we could put 
the adversary into the environment and leave an empty hull in place of the adversary, 
the dummy adversary. Then the honest user would still distinguish. Therefore we can 
restrict our attention to such dummy-adversaries. Now, in the model of |B()Mn4| . 
the order of quantifiers is as follows: For all environments, there is a simulator, such 
that real and ideal models are indistinguishable. So the simulator is chosen in depen- 
dence of the environment, so we have standard security (while the notion of universal 
security is not specified in that modelling). 

— Composition (cf. Section \l.9(l . The |BOM04] shows a composition theorem which 
is comparable to what we call a simple composition theorem. I.e., the concurrent 
composition of a non-constant number of copies of the protocols is not allowed by 
the composition theorem. Since the order of quantifiers is that of standard security, 
this seems natural. 

In the discussions in |BOM04| . some natural conditions for universal composition 
are given, which seem to allow for concurrent composition of a polynomial number 
of protocol copies. However, these conditions require that the statistical distance 
between real and ideal protocol execution is bounded by a negligible function which 
must be independent of the environment in use. This condition is a very strict one, 
since most computationally secure protocols violate that condition (consider some 
protocol where the adversary must find the pre-image of some function to break the 
protocol. Then the probability of breaking the protocol may go up if the adversary 
does a longer search for pre-images). In fact, the author knows of no protocol that 
is computationally but not statistically secure that would still be computationally 
secure with respect to these additional conditions. 

— Models of corruption (cf. Section \l.lfl\) . Corruption is modelled in the Ben-Or-Mayers 
model as follows: There are some so-called classical control registers which may con- 
trol the order and application of the gates of a circuit. A corruptible machine will 
then execute its own gates if a special control register, the corruption register, is set 
to 0. If it is set to 1, gates specified by the adversary are executed instead. Therefore 
in |B( )Mn4] adaptive corruption is modelled, since the adversary might change the 
value of a control register at a later time. 

— Computational security (cf. Section In |BUM04] computational security is 
modelled by requiring that for any polynomial /, any family of environments with less 
than f{k) gates (where k is the security parameter) achieves only negligible statistical 
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distance between ideal and real protocol execution. This is roughly equivalent to 
requiring security against non-uniform environments, adversaries and simulators. 

— Scheduling and message delivery (cf. Section \l.lcS\) . We have tried to realise a very 
general scheduling using the concept of buffers, which are scheduled at the discretion 
of the adversary. In contrast, in the |BOM04] -model a more simple scheduling was 
chosen: The delivery of messages and activation of machines is represented by the 
ordering of the gates. Since the ordering of gates within one machine is fixed up to 
commuting gates, and the access of gates of different machines to a shared register (a 
channel register) is defined to alternate between sender and recipient, all scheduling 
and message delivery between machines is fixed in advance. Only when the adversary 
gates are executed, the scheduling may have some variability. Further there might 
be situations (like a channel shared by more than two parties) where the scheduling 
is not completely fixed. 

However, the partial order on the gates is fixed by the environment in advance, i.e., 
may not depend of information gathered by the adversary in the course of a protocol 
execution. 

This model of scheduling seems adequate for protocols with a very simple commu- 
nication structure (like two-party protocols proceeding in rounds), more complex 
protocols however tend to contain the possibility of race conditions'^ and message 
reordering. Therefore a security guarantee given in the |BOM04| -model for such a 
protocol should be taken with care, since attacks based on such scheduling issues 
would not be taken into account by that model (at least, if the attack is based on 
information gathered by the adversary). 

Further it does not seem possible even to model protocols which contain instructions 
like "toss a coin; on outcome send a message to Alice, on outcome 1 send a message 
to Bob" , since the sending of messages is fixed in advance. 

— Service ports (cf. Section rO)) . Often it is useful to dedicate some in- and outgo- 
ing connection of the protocol to be used only by the adversary (in particular, the 
simulator can lie to the environment about the information on these connections). 
Other connections again should be used by the environment (since they constitute 
the protocol in- and outputs). We have realised this concept by specifying a set of 
protocol ports that can be used by the honest user, the service ports. All other ports 
are restricted to be used only by the adversary. 

Such a distinction is particularly useful when specifying a trusted host, where some 
side-channels (like the size of a transmitted message or similar) are intended only for 
the adversary. 

It is unclear to us, whether the |BOM04] model provides a possibility for specifying 
such a distinction (i.e., for telling the simulator which ports it may access and which 
it may not). 

It would be very interesting to study, how security in the |BOM04| -model relates to 
security in our model. E.g., a theorem like "if the protocol vr is secure in |BOMn4] and 

^ I.e., the protocol is sensitive to the order of events. A typical race condition would be if some event 
happens exactly between two delicate steps of the protocol, causing confusion and insecurity. 
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satisfies such-and-such conditions, then the protocol tt' , resulting from translating vr into 
our model in such-and-such a way, is secure in our model" would seem very nice. (The 
other direction might be more difficult, since many protocols in our model that have more 
than three parties would not have an intuitive counterpart in the |B()Mf)4] -model.) 

1.15 Quantum mechanical formalism used in this work 

In this work, we adopt the formalism that states in quantum mechanics can be described 
using density operators. Given a Hilhert space Ti, the set P('H) of positive linear operators 
on Tl with trace 1. 

If 7i = C"'^ for some countable set X, we say that {\x) : x G X} is the computational 
basis for Ti. 

Any operation on a system can then described by a so-called superoperator (or quan- 
tum operation). A mapping £ : P('H) — > P('H) is a superoperator on P('H) (or short on 
TC), iff it is convex- linear, completely positive and it is < tT£{p) < tr p for all p € P('H). 

Superoperators <5 on a system 7ii can be extended to a larger system 7ii ® 7i2 by 
using the tensor product £ <Sil (where 1 is the identity) . 

We will only use a special kind of measurement, so-called von-Neumann or projective 
measurements. A von-Neumann measurement on Ti. is given by a set of projections Pi 
on Ti, s.t. Pi = 1 and all Pi are pairwise orthogonal, i.e. PiPj = for i ^ j. Given a 
density operator p G P('H), the probability of measurement outcome i is ti Pip, and the 
post-measurement state for that outcome is PipPi. 

We say a von-Neumann measurement is complete, if every projector has rank 1. 
A complete von-Neumann measurement in the computational basis denotes a von- 
Neumann measurement where each projector project onto one vector from the com- 
putational basis of 7i. 

Von-Neumann measurements too can be extended to a larger system by using the 
tensor-product. 

For further reading we recommend the textbook |NG00j . 

Additionally we fix that N denotes the natural number excluding 0, Nq the natural 
number including zero, IR the real numbers, and lR>o the non-negative real numbers. 
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2 Quantum networks with scheduling 



In this following we will sketch how networks of quantum machines can be defined, while 
trying to closely mimic the behaviour of the classical networks of the RS framework of 

!BPwn4bi. 

Roughly, a quantum network {collection in the terminology of |BP Wfl4b] ) consists 
of a set of machines. Each machine has a set of ports, which can be connected to other 
machines to transmit and receive messages. A port can be of the following kinds: 

— A simple out-port p!. This is a port on which a machine can send a message. 

— A simple in-port p?. This is a port on which a machine can receive a message. 

— A clock out-port p"^!. Using this port a machine can schedule a message, i.e. messages 
sent from port p! are not delivered to p? until they are scheduled via p*^!. 

— Clock in-ports p^?, buffer in-ports p^? and buffer out-ports p*^!. These ports are 
special to the so-called buffers and are explained below. 

— The master-clock-portmaster- clk^?. This special case of a clock in-port is special in 
that it is not connected to another machine. Instead, a special machine called the 
master scheduler is activated via this port if the activation token is lost, i.e. if no 
machine would be activated via an incoming message. 

Each port is additionally classified as being either a quantum or a classical port. 
(This of course is an addition to the modelling of |BPW04'Id] .1 

There are further special machines called buffers. These have the task of storing 
messages while they are waiting to be delivered. A buffer p necessarily has ports p^?, 
p^! (buffer in-/out-port) and p*^? (clock in-port). It is further associated to the ports p!, 
p? and p^! by its name p. Therefore we get the situation depicted in Figure |2 
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Buffer p 





Fig. 2. A connection 



A message delivery now takes place at follows: The sending machine sends a message 
by writing a string (preparing a quantum state) on the out-port p!. This message is then 
immediately transfered into the buffer. In the buffer it appended to a queue. In this 
queue it stays until the scheduler for buffer p sends a natural number n on p^!. If n > 1 
and there are at least n message in the buffer's queue, the n-th message is removed 
from the queue and transmitted to the simple in-port p? of the receiving machine. The 
receiving machine is then activated next. 
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The three machines in Figure HI are not necessarily different ones. In particular, it 
may e.g. be that the sending machine schedules its messages itself, realising immediate 
delivery, or that a machine sends messages to itself. 

Note that if a machine has several clock out-ports and sends a number on several of 
these, all but the first one (in some canonical ordering of the ports) are ignored, since 
otherwise it would be unclear which machine to activate next. 

If no machine would be activated next (e.g., because the machine last activated did 
not write on a clock out-port, or because the number n sent through the clock out-port 
p*^! was higher than the number of messages queued in the buffer p) a special designated 
machine is activated, the master scheduler. This machine is characterised by having the 
master-clock-port clk*^? on which it then gets the constant input 1. 

We have now seen that in a network there are three types of machines 

— A simple machine. This machine is characterised by having only simple in- and out- 
ports and clock out-ports. 

— A master scheduler. This machines may have the same ports as a simple machine, 
but additionally has the master-clock-port clk*^?. Also the master scheduler is the 
machine to be activated at the beginning of the execution of the network. 

— A buffer. This machine which has a completely fixed behaviour exists merely to store 
and forward messages. (The buffer will be more exactly defined below.) 

Upon each activation of some simple machine or master scheduler, a record of this 
activation is added to the so-called trace or run of the network (or collection) . This record 
consists of the name of the machine, of all its classical inputs (contents of the classical 
in-ports before activation), all its classical outputs (contents of the classical out-ports 
after activation), and the classical state (see below) before and after activation.^ 

From the run we can easily extract the so-called view of some machine M . It consists 
of all records in the run containing the name of M. 

The scheduling as described above will be transformed into a formal definition (while 
strongly drawing from the definitions from |BPWfl4'b] where the introduction of quantum 
mechanics does not necessitate an alteration). 

2.1 Quantum machines 

First, for self-containment, we restate the unchanged formal definition of a port from 
!BPWn4bi: 

Definition 1 (Ports |BPW04b| ^. Let V := S+ x {e,^ ,'^} x {!, ?} (here e denotes the 
empty word). Then p £ V is called a port. For p = {n,l,d) G V, we call name(p) := n 
its name, label(p) := I its label, and dir(p) := d its direction. 

* Here we slightly deviate from the modelling of |BP W04b] . where the complete in-/output and the 
complete state is logged. This of course is not possible in the quantum case since it would imply 
measuring the quantum state and all the in-/outputs in every activation. 
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Usually we do not write {r\,l,d), but nld, i.e., a port named p with label and 
direction ! would simple be written p*^!, if the label was e, we would write p!. 

Note that label e denotes a simple port, label ^ a buffer port and label a clock 
port. Further direction ! denotes an out-, and direction ? an in-port. 

Further, if P is a set or sequence of ports, let in(P) and out(P) denote the restriction 
of P to its in- or out-ports, resp. 

We can now proceed to the definition of a machine. Since our model shall encompass 
quantum machines, we will here deviate from the modelling of machines in |BPWn4b| . 
However, to simplify comparisons, we shortly recapitulate the definition of a machine in 
|BPWn4bj (which we will call a BPW-machine) : 

— A machine M is a tupel M = {name, Ports, States, 5,1, Ini, Fin). Here name is the 
unique name of the machine, Ports the sequence of the ports of this machine. States C 
S* the set of its possible states. 

— I is the length function of this machine, see below. 

— Ini is the set of initial states. Since in the security definitions in |BPW04'B] only the 
states of the form 1^ are used (where k is the security parameter), we can w.l.o.g. as- 
sume Ini = {1^ : k G N}. 

— Fin is the set of final states. A machine reaching a state in Fin will never be activated 
again. 

— 5 is the state-transition function. For a given state s of the machine, and inputs /, 
5{s, I) gives the probability distribution of {s' , O), where s' is the state of the machine 
after activation, and O its output. 

In comparison, we define a machine in our quantum setting as follows (cf. also the 
discussion after this definition): 

Definition 2 (Machine). A machine (or quantum machine j is a tuple 
M = {name. Ports, CPorts, Q States, C States, A, I, Fin) 

where 

— name G 17+ is the name of the machine. 

— Ports is the sequence of the ports of the machine. 

— CPorts C Ports is the set of the classical ports of the machine. There must he no 
clock-ports in Ports \ CPorts (i.e. all clock-ports are classical). 

— QStates C E* is the basis of the space of the quantum states, i. e. the states of M live 
in CO'^*"*'^^ It must be e QStates. 

— estates C E* is the set of the classical states of the machine. It must be 1^ G CStates 
for all /c G N (i.e. the classical states must be able to encode the initial states). 

— The state-transition operator Am is a trace-preserving superoperator operating over 
the Hilbert space C'^-S't'^te. ^ ^estates ^ (pX (g, (pO^ jj^^^ j i^^*yn{Ports) ^j^^ 

of all possible inputs of M (strictly spoken the basis of the state of all inputs), and 
O := (Z'*)°ut{Ports) analogously for the outputs o/M. 
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— The function I : CStates x \r\{Ports) {0, 00} is called the length function 0/ M. For 
each classical state c and each in-port p, this tells whether input on this port should 
be ignored (l{c, p) = 0) or not (l{c, p) =00^. 

— Fin C CStates is the set affinal states. If the classical state of the machine is a final 
state, then the machine will not be activated any more. 

Given a machine M, we denote the different entries of the tupel defining M by the 
name of the entry and a subscript M. E.g., CStates^ are the classical states ofM. 

We will now discuss the elements of this definition. The field name simply defines a 
unique name of the machine which is used to know with which machine the entries in 
the trace are associated. 

The sequence Ports denotes, which ports a given machine has. A subset of these are 
the classical ports CPorts. All messages written to or read from the classical ports are 
measured in the computational basis (before or after the activation of M, depending on 
whether it is an in- or an out-port). Note that the machine definition above does not 
handle classical ports differently from quantum ports, the measuring will take place in 
the run-algorithm (see Section [T^ . We do not allow clock-ports to be quantum ports, 
since the clock ports contain numbers of the are to be scheduled. Since our scheduling 
is classical (cf. Section fl. 13(1 . these numbers have to be classical. 

One notices, that the above machine definition has two sets of states, the quantum 
states QStates and the classical states CStates. We may imagine the machine to be a 
bipartite system, consisting of a classical part and a quantum part. However, since the 
quantum part not restricted to unitary operations, this does not imply a strict sepa- 
ration of a controlling classical machine and a controlled pure quantum machine. This 
distinction is necessary, since some events in the scheduling etc. depend on the state of 
the machine. Since these events are of classical nature (see discussion in Section [1.13|) . 
they may not depend on the quantum state. Note again, that the state-transition op- 
erator does not treat the classical and the quantum state differently, the run-algorithm 
(Section 12. 2j) takes care of measuring the classical state. 

The most interesting part of the machine is probably the state-transition operator, 
since it specifies the behaviour of the machine. We try to make the machine definition 
as general as possible, therefore we want to allow any quantum mechanically possible 
operation of the space accessible to the machine. This state consists of the inputs C"^, the 
outputs C'^, and of course of the bipartite state (C^states ^ (^estates ^j^^ machine. The 
most general operation on such a space is described by a trace-preserving superoperator 
(cf. Section I1.15j) .^ Therefore we do not impose any more restrictions on the state- 
transition operator A than to be such a superoperator. Note that A is formally even 
allowed to read its output space or write to its input space. However, since the input 
space is erased after activation, and the output space is initialised to a known state 
before activation (cf. Section [2. 2j) . this does not pose a problem. 

The |BPW04b] model introduced so-called length functions to cope with some prob- 
lems occurring when modelling computational security (see 12. 2|) . These length functions 

® We do, of course, neglect advanced physics like special and general relativity. However, formally mod- 
elling these in a security model is probably still far off future. 
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allow machines to set the maximal length of a message which can be received on a given 
in-port (longer input is truncated). So in particular, a machine can switch off some in- 
port completely, which has the effect that this machine is not activated any more on 
input on that port. Since whether the machine is activated or not is here defined as a 
classical decision, the length function should be classically defined, too. Therefore the 
length function must only depend on the classical state of the machine. In our setting 
the length function only plays an inferior role, since we are only concerned with uncon- 
ditional security. However, since this model is designed to be easily extendable to the 
computational case (by defining a computational model for the machines and then using 
a straightforward adaption of the definition of computational security from |BPW04'B] ) . 
we included the length functions into our model. The only important values of length 
functions are (ignore the message), and oo (do not ignore it), all other values (integers 
greater 0) just truncate the message, but even a computationally limited machine could 
simply ignore anything longer than indicated by the length function. Since further trun- 
cating would imply at least a partial measurement of the length of the message, we have 
restricted the length functions to take only the values and oo. 

Finally the decision whether a machine has terminated or not should be classical, 
this should only depend on the classical state of the machine. Therefore the set Fin of 
final states is a subset of CStates. 

A special kind of machine is the so called buffer (see the informal description in 
Section 121). The state of the buffer contains a (possibly empty) queue of messages. Note 
that the buffer does not measure these messages, they are simply moved. A buffer p can 
be called due to two different reasons: 

— A message arrived on its buffer in-port p^?. Then this message is appended to the 
queue. 

— A number n was written to its clock in-port p*'?. Then the n-th message is taken 
from the queue (if existent) and moved to the buffer out-port p^!. 

For completeness we give a formal definition of buffers: 

Definition 3 (Buffers). Let Queue denote the set of all possible queue contents: 

Queue := {(n; mi, . . . , m„) : n € Nq, mi € U*} 

We assume the elements of Queue to be encoded as words in E* , so that (0) (the empty 
queue) is encoded as the empty word e € U* . 
The buffer p is defined by 

p := (n~, (p^?, p^!, p^?), {p^!}. Queue, {l^'}, Z\bufr, cxd, 0) 

That is, the buffer is named n~, has ports p^?,p^!,p^?, of which p'^l is classical, the 
classical states are the required initial states 1^ , the quantum states are the possible queue 
contents (where the queue initially is empty). The length function is set to constant 
oo, i.e. no truncating takes place. The set of final states is 0, so the buffer will never 
terminate. 

The state-transition operator zAbufr is defined by the following measurement process 
on the buffer's state (in Hp = C^"'^"'^ (E> C^^"^ ® Hp^? ® 7ip<7 Hp^i): 
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— Measure whether Tip^-? contains state \e) (e being the empty word). If no fp*^? is 
nonempty), perform the linear operation given by 

|(n;mi, . . . ,m„)) (g) \in) i — > |(n+ l;mi,... ,mn,in)) (g) \e) 

on (g) Tlp^7. (I.e., if there is input on port p*^?, append it to the queue.) 

— Perform a complete von-Neumann measurement in the computational basis (from 
now on called complete measurement) on Tipi-?. Let i be the outcome. 

— Prepare state \e) in subsystem TLp-^\. 

— Measure the first component in (C'^"'^"'^ (i.e. project (C'^"'^"^ onto one of the spaces Sn 
where Sn is spanned by the vectors |(n, mi, . . . , mn)), rrii G U* ). Let n be the outcome 
of this measurement (i.e. n is the current queue length). 

— //i G N C 17* (we assume natural numbers to be encoded as nonempty words in E*) 
and i < n, then perform the following linear operation on C*^'^'^"'^ (g) Hp^\: 

|(?i;mi, . . . ,m„)) (g) |e) i — > |(n; mi, . . . , mj_i, mj+i, . . . , m„)) |mj). 

That is, the i-th message is moved to the buffer out-port p^!. 

2.2 Quantum networks 

So far we have only modelled single machines. Prom here, the definition of a network 
is not very far away. In the |BPW04'E| modelling a network simply is a set of machines 
(called a collection). The connections between the machines are given by the names of the 
ports, as described in Section [21 and depicted in Figured Some restriction have to apply 
to a collection to form a sensible network, e.g. there must not be any dangling connection 
(free ports), and no ports must be duplicated. The formal definition of collections is 
literally identical to that in |BPWn4bj . we cite it for selfcontainedness: 

Definition 4 (Collections |RPWn4hj ^. 

— A collection C is a finite set of machines with pairwise different machine names, 
pairwise disjoint port sets, and where each machine is a simple machine, a master 
scheduler, or a buffer. 

— ports(C') denotes the set of all ports of all machines (including buffers) in C . 

— If n is a buffer, n, M € (7 and n'^\ G Ports^ then we call M the scheduler for buffer 
n in C , and we omit "in C" if it is clear from the context. 

Note that a collection is not necessarily a complete network, since it is not required 
that each port has its counterpart. This is important since we will need these "non- 
closed" collections for defining the notion of protocols (Section ^ . 

Prior to introducing the notion of a closed collection, which will represent quantum 
networks, we have to introduce the notion of the free ports. The low-level complement 
p'^ of some port p is the port which in Figure El is directly connected to p. That is, 
(p!)^ = p-?, (p?)'^ = p-!, (p-!)- = p-?, (p-?)^ = p!, (p-*!)- = p?, and (p^?) = p"^!. Then 
we can define the set of free ports of a collection C to be the set of ports in C that do 
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not have a low-level complement in (7, formally free(C') = {p G ports(C') : ^ ports(C'). 
Intuitively, the free ports are those that have a "dangling" connection. 
We can now define a closed collection: 

Definition 5 (Closed collection, completion jBPW04b| ^. 

— The completion [C] of C is defined as 

[C] := {n \3l,d: (n, /, d) S ports((7) \ {clk"^?}}. 

- C is closed ifffree{[C]) = {dkV}. 

Intuitively, the completion of C results from adding to C all missing buffers. That is, 
if some machine has a port p!, p?, or p*^!, then the buffer p is added if not yet present. 
Note that no buffer is added for the master-clock-ports clk"^?, since this port should be 
left free (it is only used to activate the master scheduler in case of a lost activation 
token) . 

A collection is then called closed, if only buffers are missing, i.e. if after completing it, 
there is no "dangling connection" (note that of course the master-clock-port must stay 
unconnected). Such a closed collection is now a quantum network ready to be executed. 

We will now proceed to defining the run of a network. In contrast to the definitions of 
collections etc. at the beginning of this section the run algorithm is inherently quantum, 
so the definition given here differs from that in |BPW04'B] . However, we try to capture 
the structure and the behaviour of the scheduling. 

Explanations on the individual steps of the algorithm below can be found after the 
definition. 

Definition 6 (Run). Let a closed collection C and some security parameter k £¥l be 
given. Let X denote the master scheduler of C. 
For any machine M G [C] let 

Um ■■= C'^'^*"*''"'^ (g) C'^StatesM ^ (^Im ^ (^Om _ 

Tiu it the space accessible to M, including the space of its inputs and outputs. 

Note that has the structure Xm = npein(Portsfl/) therefore decomposes 
into 

(D^M = ^ Up with Hp := C^* 

pein(PortSji/) 

Below we will sometimes refer to these subsystems directly via their name Tip. 
Let further 

In the following, when we say that some operation X (a superoperator or a measure- 
ment) is applied to some subsystem Ti ofTi^, =: Tia <8) H Tib, '"^e formally mean that 
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1 (8) X (8) 1 is applied to P(7^a "X" W (8) Ti-b) (the set of density operators on "H^,). Here 1 
denotes the identity. 

Consider the following measurement process on (formally, on the set P{7i^,) of 
density operators over Ti.^,). 

1. Prepare the state 

(g) pZ''' e mc) 

Mec 

where 

Pm'' ■■=\e){e\ ® 

(g) \e, . . . ,e){e, . . . ,e\ 

(g) |e, . . . ,e)(e, ...,e\ G P(7^m) 

(This means we initialised all machines to initial quantum state |e)(e|, classical initial 
state 1^, and empty in- and output- spaces.) 

2. Initialise the variable Mcs (the current scheduler^ to have the value X. Prepare |1)(1| 
in Hcw^-^-?.^^ 

3. Perform a complete von-Neumann measurement in the computational basis (called a 
complete measurement from now on) on ([^'^^^^^-^'^^M^g ^ ^.et s denote the outcome. 

4- If s & Finifl^g and Mcs = X, exit (the run is complete). If s ^ Fin\^^g, but Mqs 7^ X, 
proceed to Step\^ 

5. For each port p G \n{PortsM^g) s.t. /mcs(^'P) ~ ^> prepare \e){e\ in Hp. 

6. For each p G \n{CPortsucs), perform a complete measurement on Tip. Let the out- 
come be Ip. 

1. For each port p G in(PorisMos)> measure whether Hp is in state \e) (whether it is 
empty). If all ports were empty, proceed to Step\^ Otherwise let P be the set of the 
ports that were nonempty. 

8. Switch the current scheduler, i.e. apply the state-transition operator ^Ucs '^^cs- 

9. Perform a complete von-Neumann measurement in the computational basis (called a 
complete measurement from now on) on d^C'-S'^'^iesM^^, _ g/ ^^jiQ^g iji^ outcome. For 

each p G out{CPortsM^g), perform a complete measurement onHp. Let the outcome 
be Op. 

10. Letl := {Ip)pem(CPortsMcs) ^^'^^ ■= iOp)peoutiCPortsMcs)- {namcucs ^ ^ , I , s' , O , P) 
to the trace (which initially is empty). 

11. Let MOVE denote the superoperator over C^*®C^* =: H\ (8) H2 defined by p ^ 
|e)(e| (8) tr2 p.^^ Then for each simple out-port p! G Portsucs P^fform the following: 
Measure, whether p! is empty, i.e. measure whether Hp\ is in state If nonempty, 
apply MOVE to Hp\ (^Hp^7. Then (if pi was nonempty) switch buffer p, i.e. apply 
Z\buff to Hp. 

12. For each p G Portsy\^^, prepare \e){e\ in Hp. (With e being the empty word.) 
Formally, we apply the superoperator p to Hcik<?- 

I.e., the second subsystem is prepared to be |e){e|, and then then the subsystems are swapped. 
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13. Let s'^\ he the first clock out-port from CPorts^^g (in the ordering given by the port 
sequence Portsucs) '"^^^^ -^s''! ^- ^^ere is no such port, proceed to Step\^ 

14- Prepare |/s^!)(/s^!| inHs<?. Then switch buffers (apply Aj^^ff toTii,). Measure whether 
is empty (measure whether 7is^\ is in state \e)). If it is empty, proceed to Step\^ 

15. Apply MOVE to ?^s"! ^ T~^s?- Let Mcs be the unique machine with s? € Ports\^^^. 
Proceed to Step\^ 

This measurement process induces a probability distribution on the trace (see Stev \l(J\) . 
We call this probability distribution run^ ^ (the run/trace of C on security parameter 
k). We will also use run^, for a random variable with that distribution. 

We will now comment on the individual steps of the measurement process above. 

In Step the initial states of the machines are prepared. It consists of the security 
parameter k (encoded as 1*^) as the classical state, and the empty word |e) as the quantum 
state. 

Then, in Step[21the master scheduler is chosen to be the next machine to be activated, 
and its clk*^? port gets the content 1. The loop will jump to this step whenever the 
activation token is lost, see below. 

In Step El the classical state s of the current scheduler Mqs (the machine to be 
activated in this iteration of the loop) is measured for inclusion in the trace (Step [11])). 
So s is the state before activation. 

In Step 0] it is checked, whether the current scheduler is in a final state. If so, the 
master scheduler must be activated, so we go back to StepHJ If the current scheduler is 
the master scheduler and has terminated, the whole process terminated and the run is 
complete. 

In Step 13 for each in-port the length function is evaluated, and if it is 0, the content 
of that port erased (so that messages on this port are ignored). 

Then, in Step El the contents of all classical ports are measured for inclusion in the 
trace f Step ITU)). 

In Step 13 it is checked, whether there is at least one port containing data. If not, 
the current scheduler is not activated, and the master scheduler is activated by going to 
Step El 

Step is probably the most important step in the run. Here the current scheduler's 
state-transition operator is finally applied. 

Then in Step |H1 the classical state s' of the current scheduler and its classical outputs 
are measured for inclusion into the trace. 

In Step EH the classical state of the master scheduler before and after execution, and 
its classical in- and outputs are appended to a variable called the trace. This variable 
describes the observable behaviour of the network and its final value (or the possibly 
infinite sequence if the loop does not terminate) gives rise to a probability distribution 
of observable behaviour, the run or trace on security parameter k: run^ j^. 

Then, in Step ^2 for each simple out-port of Mc5, that is nonempty, the content of 
this port is moved to the corresponding buffer in-port. Then the buffer is activated, with 
the effect that it stores the incoming message into its queue (cf. Definition j^J . 
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Now, in Step ^1 the contents of the ports of Mcs are erased (the contents of the 
clock out-ports are still needed, but they have been measured above are therefore are 
still accessible via the variables Op<\. 

In StepElwe choose the first clock-out port of Mcs that contained output. If there 
is not such clock-out port, it means that Mqs did not want to schedule any connection, 
so the master scheduler is activated again via Step |2j 

Then in Step 1141 if some connection is to be scheduled, the corresponding buffer is 
activated with the number of the message as input on its clock in-port p"^?. This has the 
effect of moving the message from the queue to the buffer out-port. 

Finally, in Steo llSl the message is moved from the buffer's out-port to the recipients 
corresponding simple in-port, and the recipient is noted to be the next machine to be 
activated (current scheduler). Then the loop proceeds with Step|31(not StepEl since this 
would activate the master scheduler). 

We encourage the reader to compare this formal definition with intuitive description 
of the scheduling given in Section |2l 

So finally we got a random variable run^ ^ describing the observable behaviour of 
the network and can proceed to the next section, where the actual security definitions 
will be stated. 
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3 Quantum security definitions 



In the preceding section we have defined what a quantum network is (formally, as closed 
collection M). Further we have described the evolution of such a network over time, 
and the defined a random variable run^^ ^ representing the observable behaviour of such 
a network when the security parameter is k. Using these prerequisites, it is now easy 
to define quantum simulatable security. In particular, nothing specially related to the 
quantum nature of our protocols has to be taken into account any more, so most of this 
section is very similar to |BPWn4b| . 

3.1 Protocols 

Remember, that we "defined" simulatable security in Section approximately as fol- 
lows (we will talk of an ideal protocol instead of the special case of a trusted host here, 
for greater generality): 

A real protocol vr is as secure as an ideal protocol p if there for each real adversary 
Areai there is a simulator Asim s.t. for all honest users H the view of H in runs with the 
real protocol and real adversary is indistinguishable from runs with the ideal protocol 
and the simulator. 

The first point of this "definition" we will elaborate on, is the notion of a protocol. 
From Section [2.21 we already have the notion of a collection. We remember that a non- 
closed collection is one where some ports (the free ports) are still unconnected. So such 
an open collection can be regarded as a protocol, where the in- and outputs of the 
protocols go over the free ports to some still to be specified outer world. 




Fig. 3. A simple protocol 



Let us consider an example: Two parties A and B form a protocol. They have a 
connection net between them (so A and B have ports net! and net?, resp.), and for getting 
their in- and outputs they have ports inA and cute. Now the collection describing that 
protocol would simply be M := {A, B} (cf. FigureOl). But when we look at the free ports 
of M (strictly spoken of the completion of M), we note that 

free([M]) = {in""?, out^!, in^?, out^?, net^?}. 

This means, that some protocol user (honest user) would in principle be able to connect 
e.g. to the protocols net'^?-port. So a protocol user would "see" and even "control" the 
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internal scheduling mechanisms of the protocol. But this ability we would reserve for the 
adversary. 

More precarious is the situation, if we would like to say that our protocol implements 
some trusted host. Assume e.g. that the trusted host models some behaviour with an 
explicit insecurity (as is usual in the modelling of trusted hosts, in most cases the ad- 
versary is at least informed about the length of the data). Then the trusted host (its 
completion) would have another free port called e.g. len"^!. An honest user connecting 
to that port would of course immediately "notice a difference" , be it only that there are 
more ports in the ideal than in the real protocol. 

Therefore we need a way to specify which ports the honest user may possibly connect 
to. Following |BPW04'B] we will call these ports the service ports, and a non-closed 
collection together with the set of its service ports will be called a structure. A structure 
is our notion of a protocol. We cite the formal definition of a structure from |BPWn4b] : 

Definition 7 (Structures and service ports |RPWn4hp . A structure is a pair 
{M,S) where M is a collection of simple machines with S C free([M]). The set S is 
called service ports of (M, S). 

The notion of service ports allows us to specify the set of ports an honest user must 
not connect to (we cite again): 

Definition 8 (Forbidden ports jBPW04bp . For a structure {M,S) let := 
free([Af]) \ S. We call forb(A/, 5) := Ports j^.j U S"^^ the forbidden ports. (* denotes the 
element-wise low-level complement.) 

It is sufficient to know, that forb(M, S) consists of the ports M may not have either 
because they would connect to non-service ports, or because they are already used by 
the protocol and would give rise to a name clash. 

The next step is to specify, which honest users and adversaries are valid ones. We must 
e.g. disallow honest users which connect to non-service ports. And we must guarantee 
that honest user, adversary and structure together give rise to a closed collection, that 
can then be executed (as in Section [2. 2 j) to give rise to some protocol trace. Here we can 
again cite |BPWn4b| : 

Definition 9 (Configurations |RPWn4h] ^. 

— A configuration of a structure {M,S) is a tuple conf = {M,S, H, A) where 

• H is a machine called user (or honest user) without forbidden ports, i.e., Portsy^U 
forb(M, S) = 0. 

• IK is a machine called adversary. 

• the completion C := [M U {H, A}] is a closed collection. 

— The set of configurations of {M, S) is written Conf(M, 5). 

— Let {Mi,S) and {M2,S) be structures (with identical service ports). The set of 
suitable configurations Conf^^^{M,S) C Conf(Mi,5) is defined by (Mi,5, H,A) G 
Conf*^2(^^ 5) iff PortsH n forb(M2, S) = 0. 
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The first part of this definition tehs us what honest users and adversaries are admis- 
sible for some structure. Honest user H and adversary A are admissible for the structure 
(M, S) exactly if (M, 5, H, A) G Conf (M, S). 

The last part of the definition is needed further below. Consider an honest user that 
is admissible for the real protocol {Mi, S). Then our security definition will use the same 
honest user also for the ideal protocol (M2, S). If the honest user has ports that would be 
forbidden with the ideal protocol, trouble is at hand. Therefore the definition of suitable 
configurations additionally requires that the honest user has no forbidden ports of either 
(Ml, 5) nor {M2,S). 

3.2 The security relation 

Besides the unspecified notion of a "protocol", there was another under-specified term 
in the "definition" from Section [1.61 we required the view of H to be indistinguishable in 
runs with real or ideal protocol. So let us first specify what indistinguishability means 
in our scenario (we cite again): 

Definition 10 (Small functions jRPWn4hp . 

— The class NEGL of negligible functions contains all functions s : N — > lR,>o that 
decrease faster than the inverse of every polynomial, i.e., for all positive polynomials 
Q 3ko \/k> ko: s{k) < 

— The set SMALL of functions N — lR,>o is a class of small functions if it is closed 
under addition, and with a function g also contains every function gf' : N — > lR>o 
with g' < g. 

Definition 11 f Indistinguishability [BPW04b] ^. Two families {yar)^^!^ and {yar')k^]N 
of probability distributions (or random variables) on common domains (Dfc)fcg]N are 

— perfectly indistinguishable ("=") zjff V/c € N : var^ = var'^. 

— statistically indistinguishable ("^small") for a class SMALL of small functions if 
the distributions are discrete and their statistical distances, as a function of k, are 
small, i.e. 

StatDist(varfc,var'fc)fc6]N := ^ |Pr(varfc = d) - Pr(var^ = d)\ G SMALL. 

deDk 

Mostly we will use SMALL := NEGL. 

The last term in our definition that still has to be defined is that of a view. Intu- 
itively, a view is everything (classical) a machine experiences during the run. Since in 
the definition of the run, every record in the run is tagged with the name of the cor- 
responding machine, it is now easy to define the view of a machine M by removing all 
entries not tagged with the name of that machine from the run. Formally: 

Definition 12 (Views). Let a closed collection C be given. Then Definition\^ gives 
rise to a family of random variables run^ Let further M C be a simple machine 
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or a master scheduler. Then the view view^ ^ of M on security parameter k is the 
subsequence of run^, ^ resulting by taking only the elements {n, s, I , s' ,0,p) € run^ 
satisfying n = name^ . 

If conf = {Ad, S, H, A) is a configurations, then we define view conf ,k{M) '■= ^^6^mu{h a} fcC^)- 
We restate our informal "definition" . 

A real protocol tt is as secure as an ideal protocol p if there for each real adversary 
Areai there is a simulator Asim s.t. for all honest users H the view of H in runs with the 
real protocol and real adversary is indistinguishable from runs with the ideal protocol 
and the simulator. 

Using the definitional tools developed above, we can capture this definition formally 
(slightly modified in comparison to |BPW04'lo] to include the notion of strict statistical 
security): 

Definition 13 (Security for structures). Let structures (Mi, 5) and {M2,S) with 
identical sets of service ports be given. 

- (Ml, 5) >lec {M2,S), spoken {Mi,S) is perfectly as secure as (Mi, S), iff for every 
configurations conf ^ = (Mi, 5, H, Areai) G Conf (Mi, 5) (the real configuration), 
there exists a configuration conf 2 = (M2, S*, H, Asim) € Conf(M2,S') with the same H 
(the ideal configuration) s.t. 

{view conf ^,ki^))k = {view conf 2,k{^))k- 

- (Ml, S) ySMALL (^^2^ spoken (Mi, S*) is strictly statistically as secure as (Mi, 5), 
for a class of small functions, iff for every configurations confi = (Mi, 5, H, Areai) S 

Conf (Ml, S) (the real configuration), there exists a configuration conf 2 = (M2, S, H, Asim) £ 
Conf(M2,5') with the same H (the ideal configuration) s.t. 

{view conf i,k{^))k ^SMALL {vieWconf2,k{^))k- 

In both cases, we speak of universal simulatability (or universal security^ if ^s\m in- 
conf 2 does not depend on H (only on Mi, S, and l^rea\), and we use the notation >stcJ 
etc. for this. 

3.3 Corruption 

So far, we have not modelled the possibility of corrupting a party. However, the approach 
of |BPW04b] applies to our setting with virtually no modifications, so we simple refer 
to |BP Wfl4b] . (A very short sketch of their approach is also found in Section fl.lfll ) 
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4 Composition 



In the present section we are going to show the simple composition theorem. See Sec- 
tion EHl for an overview what this composition theorem is for, and different flavours of 
composition theorems exist. 

4.1 Combinations 

Consider a network consisting of some machines Mi, . . . , M,j. Imagine now taking two of 
these machines (say Mi, M2) and putting them into a cardboard box (without discon- 
necting any of the network cables). Then (if the machines are not equipped with some 
special hardware for detecting cardboard boxes, e.g. a light sensor) that no machine will 
detect a difference, i.e. the views of all machines are unchanged. Even more, we can 
now consider the cardboard box as a new, more complex machine Comb(Mi, M2) (the 
combination of Mi, M2). The view of Comb(Mi, M2) then contains the views of Mi and 
M2, so we can still claim that the view of no machine (not even Mi or M2) is changed 
by removing Mi and M2 from the network and replacing them by Comb(Mi,M2). 

This seemingly trivial observation is — when formally modelled — a powerful tool for 
reasoning about networks which we will need below. 

Before we define the combination, consider the following technical definition: 

Definition 14 (Canonisation). Let a master scheduler or a simple machine M with 
state-transition operator Am be given. 
Then 

is the state space of M (together with its inputs and outputs). 

Then we define Am to be the superoperator resulting from the following measurement 
process on TCm ■' 

— Measure the classical state s of M. 

— For each in-port of M , measure whether it is empty. 

— For each in-port p s.t. /m(c, p) = 0, prepare |e)(e| in Tip. 

— If s ^ Fin^, and at least one port was nonempty, apply Am- 

Then the canonisation of M is the machine 

M := (namcM, PortsM, CPortsu, QStates^, CStatesM, A^Jm, Fin^), 

i.e. M results from M by replacing its state-transition operator by Am. 

Now note that in the run algorithm (Definition ^ the only place where the state- 
transition operator Am can be applied is SteplHI But preceding that step, measurements 
occurred that guarantee that at least one port is nonempty, that s is not a final state, 
and that all ports with Im (c, p) = are empty. Therefore there is no difference between 
using Z\|vi and Z\m in Step El From this insight, the following lemma follows: 
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Lemma 1. Let C be some closed collection and M E C a master scheduler or a simple 
machine. Let M be the canonisation o/M, and D := C\ {M} U {M} result from replacing 
M by M. Then D is closed, and for all k £¥l 

Using the canonisation it is now easy to define the combination of two machines: 

Definition 15 (Combination). Let two machines l\/li,M2 with disjoint sets of ports 
be given. Assume both them to be either master schedulers or simple machines or a 
combinations thereof. 

Denote by Mi and M2 the canonisations of Mi and M2. 

Then let 



namcQ 


:= namCf^j^^namCf^j^^ 


Ports Q 


:= Ports U PortSj^^ 


CPortsQ 


:= CPorts^^ U CPorts^^ 


Q States Q 


:= Q States x Q States q 


estates c 


:= estates x CStates^ 


Ac 


:= Z\mi 



k((ci,C2),p) : = 



^Mi(ci,p), if'pePorts^^ 
.^M2(C2,P), ifpePoHs^^ 



Fine ■■= Fin^ x Fin^ 



and 

Comb(Mi, M2) := {namec, PortsQ, CPortsQ, QStatesQ, CStatesQ, Aq, Iq, Fine). 

We can now state the following combination lemma: 

Lemma 2 (Combination). Let a closed collection C be given. Assume Mi, M2 & C to 
be master schedulers, simple machines or a combination of both. Let D := C\{Mi, M2}U 
{Comb(Mi,M2)}. 

Then for any machine M € C \ {Mi, M2} it is for a// /c G N 

vieW(j{M) = viewjj{y\). 

Further let viewj^{Mi) denote the view o/Mi extracted from the v := meu'^(Mi) in 
the following manner: 

For each element Vi = [name, (si, 52), (A, -^2), (s'n Sg), (Oi, O2), P), do the following 

— If P (1 Ports ^ 0, replace vi by (namevii, si, Ji, s'l, O^, P). 

— Otherwise, remove Vi from the view. 
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Then 

view^ j^{Mi) = view f^{Mi). 

Then same holds for M2. 

The proof of this lemma consists of first applying Lemma ^ to show 

where C' is C with Mi and M2 replaced by their canonisations. The rest is a straight- 
forward but long and tedious checking of each step of the run-algorithm in Definition El 
to show 

vieWfj{M) = vieWj^{M). 

A proof is given in Appendix lA.ll 

So this lemma states that we can in fact replace any two machines by their combi- 
nation, without changing the behaviour of the network or the views of the individual 
machines. 

We write Comb(Mi, M2, . . . , M„) for Comb(Mi, Comb(M2, Comb(. . . , Comb(M„_i, M„) . 
to get a combination of more than two machines. 

4.2 Transitivity 

Lemma 3 (Transitivity). Let (Mi, 5) > {M2,S) > (M3,5). Then (Mi, 5") > (Mg,^). 

Here > may denote perfect, strict statistical, universal perfect and universal strict 
statistical security. 

This lemma is obvious from Definition 1131 

4.3 The simple composition theorem 

In the preceding sections we have tried to get a strong notational and structural sim- 
ilarity to |BPWn4bj . We can now harvest the fruits of this program: the definition of 
simple composition, the simple composition theorem and the proof thereof are almost 
identical to those in the RS framework. We restate the definition of composition for 
self-containment: 

Definition 16 (Composition jBac0 2J). Structures (Mi, 5), . . . , (M„, S'n) are com- 
posable if no port of Mi is contained in forb{Mj, Sj) for i 7^ j, and Si fl free([Af2]) = 
52nfree([Mi]). 

Their composition is then (Mi, ^i) || . . . || (M„, 5„) := (M, s) with M = Mi U • • • UM^ 
and S = {SiU---U Sn) n free([M]). 

For details on the conditions in the definition of composability, see |Bacn2j . 
We can now state the simple composition theorem (called Secure Two-system Com- 
position in |Bac02j ) 
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Theorem 1 (Simple composition). Let {Mq,So), {Mq, Sq) and {Mi, Si) be struc- 
tures, s.t. {Mo,So), {Ml, Si) are composable, and (A/q,5o) and {Mq,So) are composable. 
Assume further ports{MQ) H Sf = ports{MQ) n S^. (ports{M) is the set of all ports of all 
machines in M) 
Then 

(Mo,5o) > (M^,5o) =^ {Mo,So)\\{Mi,Si)>{M[,,So)\\{Mi,Si) 

Here > may denote perfect, strict statistical, universal perfect and universal strict sta- 
tistical security. 

The proof of the composition theorem in |PW01j is completely based on a higher- 
level view on the network model in the sense that every statement about the view of 
machines is derived through the combination lemma. So the proof of |PW01j applies in 
the quantum setting. (In fact the proof in [PWOlj covers the more general case of the 
security of systems, however, the composition theorem stated above is just a special case 
of the composition theorem in |PWnij .) We therefore refer the reader to the proof in 
IPWnij . 
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5 Conclusions 

In the present work we have seen how to "Uft" a classical model to a quantum one. 
However, much possible work still lies ahead: 

— Simplicity. In the personal opinion of the author, the most urgent matter is the 
search for a model that is both simple (meaning both being simple to understand, and 
simple to use in proofs) and general (so taking recourse to restricting the possibilities 
of scheduling and message delivery would not be a solution). 

We believe that the complexity and the amount of details in the present work (the 
reader probably noticed them) is mostly due to the use of a message driven schedul- 
ing. A glance on the run-algorithm (Definitional) shows, that most of the steps are 
actually concerned with finding out which machine is to be activated with which 
inputs. Only one Step El actually executes a machine's program. 
Note however that these complications are not particular to our model. Both in 
|BPWfl4b] and |(]anfllj most of the modelling is concerned with the order of ac- 
tivation of the machines. An effect of this is that security proofs tend to either 
get complicated and unreadable, or tend to ignore the details of scheduling almost 
completely and assume that message delivery will take place in a well-behaved and 
intuitive way. 

In the quantum case this problem is amplified by the fact that here one has to take 
care to explicitly specify any measurements done, instead of just referring to facts 
about the state of the system as in the classical case. 

— Formal proofs and machine verification. Even when the security models have reached 
a point where proofs may concentrate on the essentials, large protocols may still be 
quite complex to manage. It would therefore be very helpful to have a hand tools for 
formally proving (using e.g. rewriting rules for networks or similar) security, and for 
verifying (or even generating) proof with a machine. 

Some effort have already been done in that direction in the RS framework, e.g. already 
in |BCJP02j the security of a protocol was shown in the theorem prover PVS. 

— Concrete security proofs. So far only a few protocols have been shown to be secure 
in a model of simulatable security. E.g., the only family of quantum protocols to far 
is that of quantum key distribution. 
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A Postponed proofs 



A.l Combination lemma (Lemma |2l) 

Let C ■= C\ {Mi,M2} U {Mi,M2}, i.e. C results from C by replacing Mj by their 
canonisations Mj. Then by Lemma Q we have 

So for proving the first part of Lemma it is sufficient to show 

view^{U) = view^{M). (4) 

In order to do this, we will start with the run-algorithm for C and perform a series 
of rewritings, until we have reached the run-algorithm for D. 

Let Aq denote the run-algorithm for C. Then we derive the algorithm Ai by replacing 
Steps □ and CSl by 

0'. Initialise the variable Mcs (the current scheduler^ to have the value X. Prepare |1)(1| 
in TYcik^?- Set Mcs ■= X. (Here X := Comb(Mi, M2) if Mi or M2 is master scheduler, 
and X := X otherwise.) 
[731 '. Apply MOVE to 7^s"!®'7^s? ■ Let Mcs be the unique machine in C with s? € Portsucs ■ 
Let Mcs be the unique machine in D with s? G PortsM^^. Proceed to Step\^ 
If Mcs G {Ml, M2}, assign Mcs ■= Comb(Mi, M2), otherwise set Mcs ■= Mcs- 

In both steps we have only set a hitherto unused variable, but changed nothing else, 
so the behaviour of ^0 find Ai are identical, i.e. if we define Oi to be the output (the 
trace) of Ai, 

run^j = Oq = Oi. (5) 

Further note, that it now holds after every step of the algorithm, that Mcs = Mcs 
for Ucs i {Ml, M2}, and Mcs = Comb(Mi, M2) otherwise. 

We now derive the algorithm A2 from Ai by replacing Step El by 

0'. Perform a complete von-Neumann measurement in the computational basis (called a 
complete measurement from now on) on (D*^'^*°*^*^c;s . Let s denote the outcome. 
If Mcs ^ {Ml, M2}; set s := s, otherwise let s be the i-th component of s (for 
Mcs = M J. 

We use here c'^^*''*'"comb(Mi,M2) — ^cstates^^ ^ ^cstatesg,^^ 

If Mcs ^ {Ml, M2}, this step evidently behaves like Step 01 (except that it sets 
an variable that is not used in other steps). If Mcs = Mi, the classical state of M2 is 
additionally measured, however, this state was already measured in SteplHl so measuring 
it does not disturb the state of the system. Further the result the original Step |31 would 
have yielded (s) is reconstructed from (s). Therefore in this case Step |31 behaves like 
SteplSl Analogously for M2. So we have 

Oi = O2. (6) 
Similarly, we get algorithm A3 by successively replacing Steps 00 13121 ^1 ^1 

by 
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For each port p G \n{Ports^^^) s.t. l^^^{s, p) = 0, prepare \e){e\ in Tip. 
0'. For each p € in(CPoriS|y^^), perform a complete measurement on Tip. Let the out- 
come be Ip. 

0'. For each port p € \n{Ports^^^), measure whether Tip is in state \e) (whether it is 
empty). If all ports were empty, proceed to Step\^'. Otherwise let P be the set of the 
ports that were nonempty. 

0'. Perform a complete von-Neumann measurement in the computational basis (called a 
complete measurement from now on) on C ^cs . Let s' denote the outcome. For 
each p € out{CPorts^ ), perform a complete measurement on Tip. Let the outcome 
be Op. 

If M(75 ^ {Ml, M2}, set s' := s' , otherwise let s' be the i-th component of s' (for 
Mcs = M J- 

For each simple out-port p! € Ports perform the following: Measure, whether 
p! is empty, i.e. measure whether Tlpi is in state \e). If nonempty, apply MOVE to 
Hp\ ®Hp^7. Then (if pi was nonempty) switch buffer p, i.e. apply Z\bufr io Tip. 
[T^ '. For each p G Ports prepare in Tip. 

Let be the first clock out-port from CPorts^^^ (in the ordering given by the port 
sequence Ports^^^) with Is<\ ^ e. If there is no such port, proceed to Step\^'. 

Note: In all steps we have replaced Mqs by ^cs, in Step El also s by s, in SteplHlwe 
have additionally generated s' from the measurement result s'. 

The reader can easily convince himself (similarly to the reasoning on the replacement 
of Step El above), that each of the replacements does not modify the behaviour of the 
algorithm, so 

02 = 03- (7) 
Now we replace Step jH by the following, resulting in an algorithm A4 

0'. If s G FiriMcs ^'^^ = X, exit (the run is complete). If s G Finucs' ^CS 7^ X, 
erase Tip for all p G in{Ports^^^^), and proceed to Step\^ 

This does not change the behaviour of the algorithm, since if a machine has terminated, 
its in-ports are not read any more, so they can safely be erased. The in-port of all other 
machines are either empty or will not be read any more, so they can also safely be erased. 
Therefore 

03 = 04. (8) 
Now we replace Step jH by the following, resulting in an algorithm 

If s G Fin^^^ and Mcs = X, exit (the run is complete). If s G Fin^^^, but Mcs 7^ X, 
erase Hp for all p G in{Ports^^^), and proceed to Step\^'. 

Here X := Comb(Mi, M2) if Mi or M2 is master scheduler, and X := X otherwise. 
To comparing Steps O andjll' we have to distinguish the following cases: 

- If Mcs ^ {Ml, M2}, it is Mcs = Mcs, so StepsH andU' exhibit the same behaviour. 
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— If Mcs = Ml and s ^ Fin^^, it also is s ^ ^™Comb(Mi,M2)5 Steps^ and|l]' exhibit 
the same behaviour. 

— If Mcs = Ml, s € Pif^Ui ^^'^ ^ ^ -^*^Comb(Mi,M2)5 Steps 0J and|l]' exhibit the same 
behaviour. 

— If Mcs = Ml, Ml is not master scheduler, s G Fin^^, and s ^ FinQomh{Mi,M2)^ 
then StepHJ will jump to Step|2l, while from Step El' the algorithm will proceed 
through Steps 13,13 andI7|. Since l{s,p) = for all in-ports of Mi (since Mi was 
canonised), in Step El all inputs will be erased. So in Step [3, algorithm will jump 
to StepIH. So in this case. Steps 01 and 01' exhibit the same behaviour. 

— If Mcs = Ml, Ml is master scheduler, s € Firif^^, and s ^ FinQomb(Mi,M2)^ then 
Step 01 will cause the algorithm A4 to terminate, while algorithm A^ will be caught 
in an infinite loop without output (Stepsj^-CDi since Im^^{s, clk"^?) = (because Mi 
was normalised). So also in this case, the trace will end here. 

— For Mcs = M2, we distinguish analogous cases. 

So we can conclude 

04 = 05. (9) 

Further (using the same argument as above, where we replaced Step 01 by 01), we can 
replace Step 01' by Step 01" and get algorithm Aq: 

\^ "- Ifs E Fin^^^ and Mcs = X, exit (the run is complete). Ifs e Fin^^^, but Mcs 7^ X, 
proceed to Step\^'. 

so 

05 = Og. (10) 
Now, we make the following change to SteplHl resulting in algorithm ^4/: 

0'. Apply the state-transition operator ^Mqs ^'^ '^Mcs- ^/ Mc5 = Mi, then additionally 
apply Z\|^_^ to Ti-^^. If Mcs = M2, then additionally apply Z\|y|^ to 'H^^. 



If Mcs 7^ Ml, then either all in-ports of Mi are empty or Mi is in a final state. Since Mi 
has been canonised, applying in this case behaves like the identity. The same holds 

for M2. So the above changes have no effect, and 

Oe = O7. (11) 
Now we replace Step |H1 by |H1' , yielding algorithm A^ : 
3". Apply the state-transition operator ^m^^ io 'H^^^. 
By definition of ^m^s' ^""^ ^^^^ ^Comb(Mi,M2) := ® ^Ma' ^^^^ 

O7 = Og. (12) 
Now we replace Step ^1 by yielding algorithm A^: 
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UE'- Letl := {Ip)p^in(CPorts^^^) andO := (Op)peo«i(CPoris^^^)- Add{name^^^,s,I,s' ,0,P) 
to the trace (which initially is empty). 

Let further / denote the function that element-wise apphes the following mapping to 
the run 

{name, s, I, s' , O, P), if name ^ nameQomh{Mi,M2)^ 

{name^^, si, h, s[, Oi, P), if name = namecomb{Mi,M2) 

and P n Ports^^ 7^ 0, 
{namef^^,S2,l2, 82,02, P), if name = nameco^b(Mi,M2) 

and P n Ports^ / 0, 



{name, s, I, s' , O, P) 



Here Si and denote the i-th component of s and s', resp. 
It is now easy to verify that 

Os = f{Og). (13) 

(Note that P n Ports m / only if Mc5 = M.) 

Since 'Hcomb(Mi,M2) = ^ ^Ma' replace Hq by the isomorphic space Ti-f^, 

and rewrite Step ^ as follows, giving algorithm Aiq: 



Q'. Prepare the state 



where 

Pj'' ■■=\e){e\ 

(g) |e, . . . . . . ,e| 

O |e,...,e)(e,...,e| G P(7^m)- 

Then obviously 

O9 = Oio. (14) 

From AiQ we can now derive An by removing all intructions that set Mcs, s or s'. 
All the has the following description: 



0'. Prepare the state 



where 



pZ''' G P(H^) 
MeD 



® |e, . . . ,e)(e, . . . ,el 

O ,e)(e,... ,e| G P(7^m' 



H'. Prepare |1)(1| in Kik^?- -S'ei Mcs := X. 
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Perform a complete von-Neumann measurement in the computational basis (called a 
complete measurement from now on) on (C'^'^*'**^'^^cs . Let s denote the outcome. 
If s G Fin^^^ and \^cs = X, exit (the run is complete). If s E Fin^^^, hut Mqs 7^ X, 
proceed to Step\^'. 

[3|'. For each port p € \n{Ports^^^) s.t. /|y^^(s, p) = 0, prepare \e){e\ in Tip. 
0'. For each p € ^{CPorts^^^), perform a complete measurement on Tip. Let the out- 
come be Ip. 

0'. For each port p € '\n{Ports^^^), measure whether Tip is in state |e) (whether it is 
empty). If all ports were empty, proceed to Step\^'. Otherwise let P he the set of the 
ports that were nonempty. 

O". Apply the state-transition operator ^m^^ to H^^^. 

0'. Perform a complete von-Neumann measurement in the computational basis (called a 
complete measurement from now on) on ([^'~'^*'°'^'^'^^cs . Let s' denote the outcome. For 
each p G out{CPorts^ ), perform a complete measurement on Tip. Let the outcome 
be Op. 

[23'. Letl := {Ip)p<zin{CPorts^^^) aridO := {Op)p(zout{CPorts^^^)- Add{name^^^,s,I,s' ,0,P) 
to the trace (which initially is empty). 

\11\ '. For each simple out-port p! G Ports perform the following: Measure, whether 
p! is empty, i.e. measure whether Tlpf is in state \e). If nonempty, apply MOVE to 
Tip] ® TYp^?. Then (if pi was nonempty) switch buffer p, i.e. apply Z\bufr to Tip. 

[IE '. For each p G Ports^^_^, prepare |e)(e| in Tip. 

\1'J[ \ Let he the first clock out-port from CPorts^^^ (in the ordering given by the port 
sequence Ports^^^) with Is<\ ^ e. If there is no such port, proceed to Step\^'. 

\15\ '. Apply MOVE to Tis^\ (8 Ws?. Let Mc5 be the unique machine in D with s? G 
Portsy\^^. Proceed to Step\^ 

It is 

do = On- (15) 
This algorithm An is in fact the algorithm for the run oi D, so 

Oil = runj^. (16) 

By equations (|5HTB|) we have 

run^j = f{run^). 
From this it follows for all M G C, 

vieW(j{M) = vieW(j{M), 

with mew^(Mj) [i = 1,2) defined as in Lemma[21 

Using the statement of the lemma follows. □ 
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